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Abstract 

Motivated by the trend to outsource work to commercial cloud computing services, we con- 
sider a variation of the streaming paradigm where a streaming algorithm can be assisted by 
a powerful helper that can provide annotations to the data stream. We extend previous work 
on such annotation models by considering a number of graph streaming problems. Without 
annotations, streaming algorithms for graph problems generally require significant memory; we 
show that for many standard problems, including all graph problems that can be expressed with 
totally unimodular integer programming formulations, only a constant number of hash values 
are needed for single-pass algorithms given linear-sized annotations. We also obtain a proto- 
col achieving optimal tradeoffs between annotation length and memory usage for matrix-vector 
multiplication; this result contributes to a trend of recent research on numerical linear algebra 
in streaming models. 

1 Introduction 

The recent explosion in the number and scale of real-world structured data sets including the web, 
social networks, and other relational data has created a pressing need to efficiently process and 
analyze massive graphs. This has sparked the study of graph algorithms that meet the constraints 
of the standard streaming model: restricted memory and the ability to make only one pass (or 
few passes) over adversarially ordered data. However, many results for graph streams have been 
negative, as many foundational problems require either substantial working memory or a prohibitive 
number of passes over the data [Ij. Apparently most graph algorithms fundamentally require 
flexibility in the way they query edges, and therefore the combination of adversarial order and 
limited memory makes many problems intractable. 

To circumvent these negative results, variants and relaxations of the standard graph stream- 
ing model have been proposed, including the Semi-Streaming [2], W-Stream [3], Sort-Stream [4], 
Random-Order [1], and Best-Order [5j models. In Semi-Streaming, memory requirements are re- 
laxed, allowing space proportional to the number of vertices in the stream but not the number 
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of edges. The W-Stream model allows the algorithm to write temporary streams to aid in com- 
putation. And, as their names suggest, the Sort-Stream, Random-Order, and Best-Order models 
relax the assumption of adversarially ordered input. The Best-Order model, for example, allows 
the input stream to be re-ordered arbitrarily to minimize the space required for the computation. 

In this paper, our starting point is a relaxation of the standard model, closest to that put forth 
by Chakrabarti et al. [6], called the annotation model. Motivated by recent work on outsourcing 
of database processing, as well as commercial cloud computing services such as Amazon EC2, 
the annotation model allows access to a powerful advisor, or helper who observes the stream 
concurrently with the algorithm. Importantly, in many of our motivating applications, the helper 
is not a trusted entity: the commercial stream processing service may have executed a buggy 
algorithm, experienced a hardware fault or communication error, or may even be deliberately 
deceptive OE]. As a result, we require our protocols to be sound: our verifier umst detect any lies 
or deviations from the prescribed protocol with high probability. 

The most general form of the annotation model allows the helper to provide additional anno- 
tations in the data stream at any point to assist the verifier, and one of the cost measures is the 
total length of the annotation. In this paper, however, we focus on the case where the helper's 
annotation arrives as a single message after both the helper and verifier have seen the stream. The 
helper's message is also processed as a stream, since it may be large; it often (but not always) 
includes a re-ordering of the stream into a convenient form, as well as additional information to 
guide the verifier. This is therefore stronger than the Best-Order model, which only allows the 
input to be reordered and no more; but it is weaker than the more general online model, because 
in our model the annotation appears only after the input stream has finished. 

We argue that this model is of interest for several reasons. First, it requires minimal coordination 
between helper and verifier, since it is not necessary to ensure that annotation and stream data 
are synchronized. Second, it captures the case when the verifier uploads data to the cloud as 
it is collected, and later poses questions over the data to the helper. Under this paradigm, the 
annotation must come after the stream is observed. Third, we know of no non-trivial problems 
which separate the general online and our "at-the-end" versions of the model, and most prior results 
are effectively in this model. 

Besides being practically motivated by outsourced computations, annotation models are closely 
related to Merlin- Arthur proofs with space-bounded verifiers, and studying what can (and cannot) 
be accomplished in these models is of independent interest. 

Relationship to Other Work. Annotation models were first explicitly studied by Chakrabarti 
et al. in [6j, and focused primarily on protocols for canonical problems in numerical streams, 
such as Selection, Frequency Moments, and Frequent Items. The authors also provided protocols 
for some graph problems: counting triangles, connectedness, and bipartite perfect matching. The 
Best-Order Stream Model was put forth by Das Sarma et al. in [5]. They present protocols 
requiring logarithmic or polylogarithmic space (in bits) for several problems, including perfect 
matching and connectivity. Historical antecedents for this work are due to Lipton [7], who used 
fingerprinting methods to verify polynomial-time computations in logarithmic space. Recent work 
verifies shortest-path computations using cryptographic primitives, using polynomial space for the 
verifier [81. 



Our Contributions. We identify two qualitatively different approaches to producing protocols 
for problems on graphs with n nodes and m edges. In the first, the helper directly proves matching 
upper and lower bounds on a quantity. Usually, proving one of the two bounds is trivial: the helper 
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provides a feasible solution to the problem. But proving optimality of the feasible solution can be 
more difficult, requiring the use of structural properties of the problem. In the second, we simulate 
the execution of a non-streaming algorithm, using the helper to maintain the algorithm's internal 
data structures to control the amount of memory used by the verifier. The helper must provide the 
contents of the data structures so as to limit the amount of annotation required. 

Using the first approach (Section [3]), we show that only constant space and annotation linear in 
the input size m is needed to determine whether a directed graph is a DAG and to compute the size 
of a maximum matching. We describe this as an (m, 1) protocol, where the first entry refers to the 
annotation size (which we also call the hcost) and the second to the memory required for the verifier 
(which we also call the vcost). Our maximum matching result significantly extends the bipartite 
perfect matching protocol of [6], and is tight for dense graphs, in the sense that there is a lower 
bound on the product of hcost and vcost of hcost • vcost = J7(n^) bits for this problem. Second, 
we define a streaming version of the linear programming problem, and provide an (m, 1) protocol. 
By exploiting duality, we hence obtain (m, 1) protocols for many graph problems with totally 
unimodular integer programming formulations, including shortest s-t path, max-flow, min-cut, and 
minimum-weight bipartite perfect matching. We also show all are tight by proving lower bounds of 
hcost - vcost = Q{n?) bits for all four problems. A more involved protocol obtains optimal tradeoffs 
between annotation cost and working memory for dense LPs and matrix-vector multiplication; this 
complements recent results on approximate linear algebra in streaming models (see e.g. [9l |10]). 

For the second approach (Section H]), we make use of the idea of "memory checking" due to Blum 
et al. [TTJ, which allows a small-space verifier to outsource data storage to an untrusted server. We 
present a general simulation theorem based on this checker, and obtain as corollaries tight protocols 
for a variety of canonical graph problems. In particular, we give an (m, 1) protocol for verifying a 
minimum spanning tree, an (m-|-nlogn, 1) protocol for single-source shortest paths, and an (n^, 1) 
protocol for all-pairs shortest paths. We provide a lower bound of hcost • vcost = f](n^) bits for the 
latter two problems, and an identical lower bound for MST when the edge weights can be given 
incrementally. While powerful, this technique has its limitations: there does not seem to be any 
generic way to obtain the same kind of tradeoffs observed above. Further, there are some instances 
where direct application of memory checking does not achieve the best bounds for a problem. 
We demonstrate this by presenting an (n^logn, 1) protocol to find the diameter of a graph; this 
protocol leverages the ability to use randomized methods to check computations more efficiently 
than via generating or checking a deterministic witness. In this case, we rely on techniques to verify 
matrix-multiplication in quadratic time, and show that this is tight via a nearly matching lower 
bound for diameter of hcost • vcost = r2(n^). 

In contrast to problems on numerical streams, where it is often trivial to obtain (m, 1) protocols 
by replaying the stream in sorted order, it transpires that achieving linear-sized annotations with 
logarithmic space is more challenging for many graph problems. Simply providing the solution 
(e.g. a graph matching or spanning tree) is insufficient, since we have the additional burden of 
demonstrating that this solution is optimal. A consequence is that we are able to provide solutions 
to several problems for which no solution is known in the best-order model (even though one can 
reorder the stream in the best-order model so that the "solution" edges arrive first). 
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2 Model and Definitions 



Consider a data stream A = (ai, 02, . . . , Um) with each in some universe U. Consider a proba- 
bihstic verifier V who observes A and a deterministic helper % who also observes A and can send 
a message h to V after ^ has been observed by both parties. This message, also referred to as an 
annotation^ should itself be interpreted as a data stream that is parsed by V, which may permit 

V to use space sublinear in the size of the annotation itself. That is, % provides an annotation 

k{A) = {hl{A),l^2{A),...h^{A)). 

We study randomized streaming protocols for computing functions f{A) — t- Z. Specifically, 
assume V has access to a private random string IZ and at most w{m) machine words of working 
memory, and that V has one-way access to the input A-h, where • represents concatenation. Denote 
the output of protocol V on input A, given helper h and random string H, by out{V,A,Tl, n). We 
allow V to output _L if V is not convinced that the annotation is valid. We say that h is valid for 
A with respect to V if Pr-ji^outiV, A^TZ,h) = f{A)) = 1, and we say that h is 6-invalid for A with 
respect to V if Pr'ji{out{V , A,1Z, h) 7^_L) < 5. We say that /i is a valid helper if A is valid for all A. 
We say that "P is a valid protocol for / if 

1. There exists at least one valid helper h with respect to V and 

2. For all helpers h' and all streams A, either h' is valid for A or h' is ^-invalid for A. 

Conceptually, P is a valid protocol for / if for each stream A there is at least one way to convince 

V of the true value of f{A), and V rejects all other annotations as invalid (this differs slightly from 
[6] to allow for multiple A's that can convince V). The constant | can be any constant less than ^. 

Let H he a valid helper chosen to minimize the length of li{A) for all A. We define the help 
cost hcost('P) to be the maximum length of h over all A of length m, and the verification cost 
vcost(P) = w{m), the amount of working memory used by the protocol P. All costs are expressed 
in machine words of size G(log?Ti) bits, i.e. we assume any quantity polynomial in the input size 
can be stored in a constant number of words; in contrast, lower bounds are expressed in bits. We 
say that V is an {h,v) protocol for / if "P is valid and hcost(^) = 0{h + 1), vcost(^) = 0{v + 1). 
While both hcost and vcost are natural costs for such protocols, we often aim to achieve a vcost of 
0(1) and then minimize hcost. In other cases, we show that hcost can be decreased by increasing 
vcost, and study the tradeoff between these two quantities. 

In some cases, / is not a function of A alone; instead it depends on A and h. In such cases, 

V should simply accept if convinced that the annotation has the correct properties, and output _L 
otherwise. We use the same terminology as before, and say that is a valid protocol if there is a 
valid helper and any h' that is not valid for A is ^-invalid for A. 

In this paper we primarily consider graph streams, which are streams whose elements are edges 
of a graph G. More formally, consider a stream A = (ei, 62, . . . , Cm) with each S [n] x [n]. Such 
a stream defines a (multi)graph G = {V, E) where V = {vi, fn} and E is the (multi)set of edges 
that naturally corresponds to A. We use the notation {i : m(z)} for the multiset in which i appears 
with multiplicity m{i). Finally, we will sometimes consider graph streams with directed edges, and 
sometimes with weighted edges; in the latter case each edge G [n] x [n] x Z+. 

2.1 Fingerprints 

Our protocols make careful use of fingerprints, permutation-invariant hashes that can be efficiently 
computed in a streaming fashion. They determine in small space (with high probability) whether 
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two streams have identical frequency distributions. They are the workhorse of algorithms proposed 
in earlier work on streaming models with an untrusted helper [5l El [TJ [12] . We sometimes also need 
the fingerprint function to be linear. 

Definition 2.1 (Fingerprints). A fingerprint of a multiset M = {i : m{i)} where each i G [q] for 
some known upper bound q is defined as a computation over the finite field with p elements, ¥p, as 
fp^a{^) = X]i=i "^(0^^% where a is chosen uniformly at random from ¥p. We typically leave p,a 
implicit, and just write f(M). 

Some properties of f are immediate: it is linear in M, and can easily be computed incrementally 
as elements of [q] are observed in a stream one by one. The main property of f is that Pr[f(M) = 
f{M')\M 7^ M'] < q/p over the random choice of a (due to standard properties of polynomials 
over a field). Therefore, if p is sufficiently large, say, polynomial in q and in an (assumed) upper 
bound on the multiplicities m(i), then this event happens with only polynomially small probability. 
For cases when the domain of the multisets is not [q], we either establish a bijection to [q] for an 
appropriate value of q, or use a hash function to map the domain onto a large enough [q] such that 
there are no collisions with high probability (whp). In all cases, p is chosen to be 0(1) words. 

A common subroutine of many of our protocols forces Ti to provide a "label" l{u) for each node 
upfront, and then replay the edges in E, with each edge {u,v) annotated with l{u) and l{v) so that 
each instance of each node v appears with the same label l{v). 

Definition 2.2. We say a list of edges E' is label-augmented if (a) E' is preceded by a sorted list 
of all the nodes v £ V, each with a value l{v) and deg{v), where l{v) is the label of v and deg(f) is 
claimed to be the degree of v; and (b) each edge e = {u,v) in E' is annotated with a pair of symbols 
l{e,u) and l{e,v). We say a list of label- augmented edges E' is valid if for all edges e = {u,v), 
l{e,u) = l{u) and l{e,v) = l{v); and E' = E, where E is the set of edges observed in the stream A. 

Lemma 2.3 (Consistent Labels). There is a valid (m, 1) protocol that accepts any valid list of 
label- augmented edges. 

Proof. V uses the annotation from Definition 12.21 (a) to make a fingerprint of the multiset Si := 
{{u, l{u)) : deg(n)}. V also maintains a fingerprint /i of all {u, l{e, u)) pairs seen while observing the 
edges of L. If /i = f(S'i) then (whp) each node u must be presented with label l{e,u) = l{u) every 
time it is reported in an edge e (and moreover u must be reported in exactly deg(u) edges), else 
the multiset of observed (node, label) pairs would not match 5i. Finally, V ensures that E' = E 
by checking that f{E) = f{E'). □ 

3 Directly Proving Matching Upper and Lower Bounds 
3.1 Warmup: Topological Ordering and DAGs 

A (directed) graph G is a DAG if and only if G has a topological ordering, which is an ordering 
oi V as vi, . . . Vn such that for every edge {vi,Vj) we have i < j [l3l Section 3.6]. Hence, if G is 
a DAG, T-L can prove it by providing a topological ordering. If G is not a DAG, H can provide a 
directed cycle as witness. 

Theorem 3.1. There is a valid (m, 1) protocol to determine if a graph is a DAG. 
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Proof. If G is not a DAG, Ti provides a directed cycle C as (^1,^2), iv2,V3) ... {vk,vi). To ensure 
C (^E^n then provides ^ \ C, allowing V to check that f(C U{E\C)) = f{E). 
If G is a DAG, let vi, . . . Vn be a topological ordering of G. We require Ti to replay the edges of 
G, with edge {vi,Vj) annotated with the ranks of Vi and Vj i.e. i and j. We ensure 7^ provides 
consistent ranks via the Consistent Labels protocol of Lemma 12.31 with the ranks as "labels" . If 
any edge {vi,Vj) is presented with j > i,V rejects immediately. □ 

3.2 Maximum Matching 

We give an (m, 1) protocol for maximum matching which leverages the combinatorial structure of 
the problem. Previously, matching was only studied in the bipartite case, where an (m, 1) protocol 
and a lower bound of hcost • vcost = il(n^) bits for dense graphs were shown [6l Theorem 11]. The 
same lower bound applies to the more general problem of maximum matching, so our protocol is 
tight up to logarithmic factors. 

The protocol shows matching upper and lower bounds on the size of the maximum matching. 
Any feasible matching presents a lower bound. For the upper bound we appeal to the Tutte-Berge 
formula [14:\ Chapter 24]: the size of a maximum matching of a graph G = (V,E) is equal to 
i minvgcy (I V^l — occ(G — V5) + where G — is the subgraph of G obtained by deleting the 
vertices of V5 and all edges incident to them, and occ(G — V5) is the number of components in the 
graph G — Vs that have an odd number of vertices. So for any set of nodes V5, — occ(G — 

Vs) + |y|) is an upper bound on the size of the maximum matching, and there exists some Vs for 
which this quantity equals the size of a maximum matching M. Conceptually, providing both Vs 
and M, % proves that the maximum matching size is M. Additionally, % has to provide a proof 
of the value of occ(G — Vs) to V. 

Theorem 3.2. There is a valid (m, 1) protocol for maximum matching. Moreover, any protocol 
for max-matching requires hcost - vcost = hits. 

Proof. To prove a lower bound of k on the size of the maximum matching, % provides a matching 
M = {VasjEm) of size \Em\ = k, and then proves that M is indeed a matching. It suffices to prove 
that \Vm\ = 2|£'Af I and M O E. First, 7i lists Em, and V fingerprints the nodes present as /(Va/). 
H then presents V^ which is claimed to be Vm in sorted order, allowing V to easily check no node 
appears more than once and that fiVu) = fi^u)- Next, 7i provides E \ M, allowing V to check 
that f(M \J{E\M)) = f{E). Hence M is a matching. 

To prove an upper bound of k on the size of the maximum matching, Ti sends a (sorted) set 
Vs C V, where ^dV^I — occ(G — Vs) + \V\) = k. Both \Vs\ and \V\ are computed directly; for 
occ(G — Vs), % sends a sequence of (sub)graphs Gj = {Vi,Ei) '^V x E claimed to be a partition 
of G — V's' into connected components. V can easily compute c, the number of Gj's with an odd 
number of nodes. To ensure that the Gj's are indeed the connected components of G — T^, it suffices 
to show that (a) each Gj is connected in G — V5; (b) F \ V5 is the disjoint union of the V^'s; and 
(c) there is no edge (f , w) G E s.t. v £ Vi,w £ Vj,i ^ j. 

To prove Property (a), Ti presents the (sub)graph Ci as Vi C V (in sorted order) where each 
V is paired with its degree deg(u); followed hy Ei G E (in arbitrary order). Fingerprints are used 
to ensure that the multiset of nodes present in Ei matches the claimed degrees of nodes in V^. If 
these fingerprints agree, then (whp) Ei <Z Vi x Vi. Then T-L uses the connectivity protocol from [6l 
Theorem 5.6] on the (sub)graph Gj = (yi,Ei) to prove that Gj is connected. Each of these checks 
on Ci has hcost 0{\Ei\). Note that V requires only a constant number of fingerprints for these 
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checks, and can use the same working memory for each different Q to check that Ei <^ Vi x Vi and 
that Ci is connected. The total vcost over ah Cj is a constant number of fingerprints; the total 
hcost is 0{m). 

Property (b) is checked by testing f(^{UiVi) U V5) = f{V), where the unions in the LHS count 
multiplicities; if the fingerprints match then whp V \Vs is the disjoint union of the V^'s. For 
(c), it suffices to ensure that each each edge in \ (IJ- Ei) is incident to at least one node in V5, 
as we have already checked that no edges in |Jj Ei cross between Vi and Vj for i ^ j- To this 
end, we use the "Consistent Labels" protocol of Lemma with l(u) = 1 indicating u £ Vs and 
l{u) = indicating u ^ V5, to force Ti to replay all of E with each edge {u,v) annotated with 
l{u) and l{v). This allows V to identify the set Es of edges incident to at least one node in V5. 

V checks that f{{UiEi) U Es) = f^E), which ensures (whp) that Property (c) holds and that over 
the entire partition of G no edges are added or omitted. Finally, provided all the prior fingerprint 
tests pass, the protocol accepts if c, the number of Cj's with an odd number of nodes, satisfies 
^^{\S\-c+\V\) = k. □ 

3.3 Linear Programming and TUM Integer Programs 

We present protocols to solve linear programming problems in our model leveraging the theory of 
LP duality. This leads to non-trivial schemes for a variety of graph problems. 

Definition 3.3. Given a data stream A containing entries of vectors b G M^, c G M^, and non-zero 
entries of a b x c matrix A in some arbitrary order, possibly interleaved. Each item in the stream 
indicates the index of the object it pertains to. The LP streaming problem on A is to determine the 
value of the linear program minjc^x | Ax. < b}. 

We present our protocol as if each entry of each object appears at most once (if an entry does 
not appear, it is assumed to be zero). When this is not the case, the final value for that entry is 
interpreted as the sum of all corresponding values in the stream. 

Theorem 3.4. There is a valid (|A|,1) protocol for the LP streaming problem, where \A\ is the 
number of non-zero entries in the constraint matrix A of A. 

Proof. The protocol shows an upper bound by providing a primal-feasible solution x, and a lower 
bound by providing a dual-feasible solution y. When the value of both solutions match, V is 
convinced that the optimal value has been found. 

From the stream, V fingerprints the sets Sa = {{ii j, Aij)}, Sb = {(^)bj)} and Sc = {{i,Cj)}. 
Then Ti provides all pairs of values cj , Xj , 1 < j < c, with each xj additionally annotated with 
l^l.jl, the number of non-zero entries in column j of A. This allows V to fingerprint the multiset 

Sx = {{j,^j) '■ and calculate the solution cost Yl^j=i ^j^j- 

To prove feasibility, for each row i of A, Ai., TL sends bj, then (the non-zero entries of) Ai. so 
that Aij is annotated with Xj. This allows the ith constraint to be checked easily in constant space. 

V fingerprints the values given by TL for A, b, and c, and compares them to those for the stream. 
A single fingerprint of the multiset of values presented for x over all rows is compared to f(5'x)- 
The protocol accepts x as feasible if all constraints are met and all fingerprint tests pass. 

Correctness follows by observing that the agreement with ^{A) guarantees (whp) that each entry 
of A is presented correctly and no value is omitted. Since TL presents each entry of b and c once, 
in index order, the fingerprints ^{Sb) and f(S'c) ensure that these values are presented correctly. 
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The claimed \A.j\ values must be correct: if not, then the fingerprints of either Sx or Sa will not 
match the multisets provided by H. f{Sx) also ensures that each time Xj is presented, the same 
value is given (similar to Lemma l2.3p . 

To prove that x is primal-optimal, it suffices to show a feasible solution y to the dual so 
that c^x. = b^y. Essentially we repeat the above protocol on the dual, and check that the claimed 
values are again consistent with the fingerprints oi Sa,Sb, Sc- □ 

For any graph problem that can be formulated as a linear program in which each entry of A, 
b, and c can be derived as a linear function of the nodes and edges, we may view each edge in a 
graph stream A as providing an update to values of one or more entries of A, b, and c. Therefore, 
we immediately obtain a protocol for problems of this form via Theorem 13.41 More generally, we 
obtain protocols for problems formulated as totally unimodular integer programs (TUM IPs), since 
optimality of a feasible solution is shown by a matching feasible solution of the dual of its LP 
relaxation |15] . 

Corollary 3.5. There is a valid {\A\, 1) protocol for any graph problem that can be formulated as 
a linear program or TUM IP in which each entry of A, h, and c is a linear function of the nodes 
and edges of graph. 

This follows immediately from Theorem 13.41 and the subsequent discussion: note that the linear- 
ity of the fingerprinting builds fingerprints of Sa, Sb and Sc, soTi presents only their (aggregated) 
values, not information from the unaggregated graph stream. 

Corollary 3.6. Shortest s — t path, max- flow, min-cut, and minimum weight bipartite perfect 
matching (MWBPM) all have valid {m,l) protocols. For all four problems, a lower hound of 
hcost • vcost = Q.{n^) bits holds for dense graphs. 

Proof. The upper bound follows from the previous corollary because all the problems listed possess 
formulations as TUM IPs and moreover the constraint matrix in each case has 0{m + n) non-zero 
entries. For example, for max-fiow, x gives the fiow on each edge, and the weight of each edge in 
the stream contributes (linearly) to constraints on the capacity of that edge, and the fiow through 
incident nodes. 

The lower bound for MWBPM, max-fiow, and min-cut holds from [6, Theorem 11] which 
argues hcost • vcost = O(n^) bits for bipartite perfect matching, and straightforward reductions of 
bipartite perfect matching to all three problems, see e.g. [131 Theorem 7.37]. The lower bound for 
shortest s — t path follows from a straightforward reduction from INDEX, for which a lower bound 
linear in hcost -vcost was proven in [6, Theorem 3.1]. Given an instance {x,k) of index where 
X G {0, 1}" , k e [n^], we construct graph G, with Vg = [n + 2], and Eq = Ea U Eb. Alice creates 
Ea = {{hj) ■ 2;/(ij)=i} from x alone, where / is a 1-1 correspondence [n] x [n] — )• [n^]. Bob creates 
Eb = {{n- + 1,*), + 2)} using f{i,j) = k. The shortest path between nodes n + 1 and n + 2 
is 3 if Xfc = 1 and is 4 or more otherwise. This also implies that any approximation within y^4/3 
requires hcost - vcost = Q.{n'^) (better inapproximability constants may be possible). □ 

Conceptually, the above protocols for solving the LP streaming problem are straightforward: % 
provides a primal solution, potentially repeating it once for each row of A to prove feasibility, 
and repeats the protocol for the dual. There are efficient protocols for the problems listed in the 
corollary since the constraint matrices of their IP formulations are sparse. For dense constraint 
matrices, however, the bottleneck is proving feasibility. We observe that computing ^x reduces to 
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computing b inner-product computations of vectors of dimension c. There are (c",c^~") protocols 
to verify such inner-products j6j . But we can further improve on this since one of the vectors is held 
constant in each of the tests. This reduces the space needed by V to run these checks in parallel; 
moreover, we prove a lower bound of hcost-vcost = r2(min(c, 6)^) bits, and so obtain an optimal 
tradeoff for square matrices, up to logarithmic factors. 

Theorem 3.7. Given abx c matrix A and a c dimensional vector x, the product Ax can be verified 
with a valid (6c",c^~") protocol. Moreover, any such protocol requires hcost-vcost = ri(min(c, 6)^) 
bits for dense matrices. 

Proof. We begin with the upper bound. The protocol for verifying inner-products which follows 
from [6j treats a c dimensional vector as an /i x v array F, where hv > c. This then defines degree c 
polynomials / over a suitably large field, so that for each polynomial f{x,y) = F^^y For an inner- 
product between two vectors, we wish to compute Exe[h],j/GH ^x,yG^,y = Y^x€[h],ye[v] fix,y)g{x,y) 
for the corresponding arrays F, G and polynomials /, g. These polynomials can then be evaluated 
at locations outside [h] x [v], so in the protocol V picks a random position r, and evaluates f{r,y) 
and g{r,y) for 1 < y < v. % then presents a degree h polynomial s{x) which is claimed to be 
Y.l=if{^^y)9{x,y)- V checks that s(r) = Yll=i f(.r^y)9{r,y), and if so accepts Ylx=i^i^) the 
correct answer. 

In [6] it is shown how V can compute f{r,y) efficiently as F is defined incrementally in the 
stream: each addition of tt; to a particular index is mapped to {x,y) € [h] x [v], which causes 
/(r, y) ^ /(r, y) + wp{r, x, y), where p{r, x, y) depends only on x, y, and r. Equivalently, the final 
value of f{r,y) over updates in the stream where the jth update is tj = {wj,Xj,yj) is f{r,y) = 

To run this protocol over multiple vectors in parallel naively would require keeping the /(r, y) 
values implied by each different vector separately, which would be costly. Our observation is that 
rather than keep these values explicitly, it is sufficient to keep only a fingerprint of these values, 
and use the linearity of fingerprint functions to finally test whether the polynomials provided by % 
for each vector together agree with the stored values. 

In our setting, the 6 x c matrix A implies b polynomials of degree c. We evaluate each polynomial 
at (r, y) for 1 < y < v for the same value of r: since each test is fooled by % with small probability, 
the chance that none of them is fooled can be kept high by choosing the field to evaluate the 
polynomials over to have size polynomial in 6 + c. Thus, conceptually, the parallel invocation of b 
instances of this protocol require us to store fi{r,y) for 1 < y < w and 1 < i < b (for the b rows 
of A), as well as fx{T~^y) for 1 < y < f (where fx is the polynomial derived from x). Rather than 
store this set of bv values explicitly, V instead stores only v fingerprints, one for each value of y, 
where each fingerprint captures the set of b values of fi{r,y). 

From the definition of our fingerprints, this means over stream updates tj = {wj,ij,Xj,yj) of 
weight Wj to row ij and column indexed by Xj and yj we compute a fingerprint 

b b 
fiAy) = X]-^*^'''^)"* =J2 J2 Wjp{rj,Xj,y)a'- 

i=l i=l tj:yj=y,ij=i 

for each y, 1 < y < v. Observe that for each y this can be computed incrementally in the stream 
by storing only r and the current value of f{A,y). 

To verify the correctness, V receives the b polynomials Sj, and builds a fingerprint of the multiset 
of S" = {i : Si{r)} incrementally. V then tests whether 
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^f{A,y)Ur,y)=fiS) 

y=l 

To see the correctness of this, we expand the Ihs, as 

V V b 

f{A, y)Ur, y)=Y.{Y. 

y=l y=l i=l 

V b 

y=l i=l 
b V 

i=l y=l 

Likewise, if all Sj's are as claimed, then 

6 b V 

f(5) =Y.s,{r)a' = 5](j;/.(r,y)/,(r,y))a^ 
i=l 1=1 y=l 

Thus, if the Sj's are as claimed, then these two fingerprints should match. Moreover, by the 
Schwartz-Zippel lemma, and the fact that a and r are picked randomly by V and not known to 
%, the fingerprints will not match with high probability if the Sj's are not as claimed, when the 
polynomials are evaluated over a field of size polynomial in (6 + c). 

To analyze the vcost, we observe that V can compute all fingerprints in 0{v) space. As % 
provides each polynomial Si{x) in turn, V can incrementally compute f(S') and check that this 
matches X]y=i f(^) y)/x('^) y)- At the same time, V also computes Y^i=i Z]x=i ^ the value of 

Ax.. Note that if each Si is sent one after another, V can forget each previous Si after the required 
fingerprints and evaluations have been made; and if h is larger than does not even need to keep 
Si in memory, but can instead evaluate it term by term in parallel for each value of x. Thus the 
total space needed by V is dominated by the v fingerprints and check values. 

Setting h = c" and v = c^~", the total size of the information sent by Ti is dominated by the b 
polynomials of degree h = c". 

To prove the lower bound, we give a simple reduction of INDEX to matrix-vector multiplication. 
Suppose we have an instance (x, k) of index where x £ {0, 1}" , k G [n?]- Alice constructs an n x n 
matrix A from x alone, in which Aij = 1 if where / is a 1-1 correspondence [n] x [n] — )• [n^], 

and Aij = otherwise. Assume f{i,j) = k. Bob then constructs a vector x G M" such that Xj = 1 
and all other entries of x are 0. Then the j'th entry of ^x is 1 if and only if Xj^^i j^^i, and therefore 
the value of can be extracted from the vector Ax. Therefore, if we had an {h,v) protocol 

for verifying matrix-vector multiplication given an n x n matrix A (even for a stream in which all 
entries of A come before all entries of x), we would obtain a v^) protocol for index. The 
lower bound for matrix-vector multiplication thus holds by a lower bound for index given in [6l 
Theorem 3.1]. □ 

Corollary 3.8. For c>b there is a valid (c^^"c"^~") protocol for the LP streaming problem. 
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Proof. This follows by using the protocol of Theorem 13.71 to verify Ax. < b and A^y > c within 
the protocol of Theorem 13.41 The cost is (6c" + c6", c^~" + 6^~"), so if c > b, this is dominated by 
(c"*^"*"", c^~") (symmetrically, if 6 > c, the cost is {b^~^°' , b^~°')) . □ 

Our protocol for linear programming relied on only two properties: strong duality, and the 
ability to compute the value of a solution x and check feasibility via matrix-vector multiplication. 
Such properties also hold for more general convex optimization problems, such as quadratic pro- 
gramming and a large class of second-order cone programs. Thus, similar results apply for these 
mathematical programs, motivated by applications in which weak peripheral devices or sensors 
perform error correction on signals. We defer full details from this presentation. 

Theorem 13.71 also implies the existence of protocols for graph problems where both hcost and 
vcost are sublinear in the size of the input (for dense graphs). These include: 

• An (n^^",n^~") protocol for verifying that A is an eigenvalue of the adjacency matrix A or 
the Laplacian L of G: Ti provides the corresponding eigenvector x, and V can use the protocol 
of Theorem 13.71 to verify that Ax = \x or Lx = Xx. 

• An (n^"*"", n^~") protocol for the problem of determining the effective resistance between 
designated nodes s and t in G where the edge weights are resistances. The problem reduces 
to solving an n X n system of linear equations [16] . 

4 Simulating Non-Streaming Algorithms 

Next, we give protocols by appealing to known non-streaming algorithms for graph problems. At 
a high level, we can imagine the helper running an algorithm on the graph, and presenting a 
"transcript" of operations carried out by the algorithm as the proof to V that the final result is 
correct. Equivalently, we can imagine that V runs the algorithm, but since the data structures are 
large, they are stored by T-L, who provides the contents of memory needed for each step. There may 
be many choices of the algorithm to simulate and the implementation details of the algorithm: our 
aim is to choose ones that result in smaller annotations. 

To make this concrete, consider the case of requiring the graph to be presented in a particular 
order, such as depth first order. Starting from a given node, the exploration retrieves nodes in order, 
based on the pattern of edges. Assuming an adjacency list representation, a natural implementation 
of the search in the traditional model of computation maintains a stack of edges (representing the 
current path being explored). Edges incident on the current node being explored are pushed, and 
pops occur whenever all nodes connected to the current node have already been visited. Ti can allow 
V to recreate this exploration by providing at each step the next node to push, or the new head 
of the stack when a pop occurs, and so on. To ensure the correctness of the protocol, additional 
checking information can be provided, such as pointers to the location in the stack when a node is 
visited that has already been encountered. 

We provide protocols for breadth first search and depth first search in Appendix lAl based on 
this idea of "augmenting a transcript" of a traditional algorithm. However, while the resulting 
protocols are lightweight, it rapidly becomes tedious to provide appropriate protocols for other 
computations based on this idea. Instead, we introduce a more general approach which argues that 
any (deterministic) algorithm to solve a given problem can be converted into a protocol in our 
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model. The running time of the algorithm in the RAM model becomes the size of the proof in our 
setting. 

Our main technical tool is the off-line memory checker of Blum et al. [llj . which we use to 
efficiently verify a sequence of accesses to a large memory. Consider a memory transcript of a 
sequence of read and write operations to this memory (initialized to all zeros). Such a transcript is 
valid if each read of address i returns the last value written to that address. The protocol of Blum 
et al. requires each read to be accompanied by the timestamp of the last write to that address; 
and to treat each operation (read or write) as a read of the old value followed by the write of a 
new value. Then to ensure validity of the transcript, it suffices to check that a fingerprint of all 
write operations (augmented with timestamps) matches a fingerprint of all read operations (using 
the provided timestamps), along with some simple local checks on timestamps. Consequently, any 
valid (timestamp-augmented) transcript is accepted by V, while any invalid transcript is rejected 
by V with high probability. 

We use this memory checker to obtain the following general simulation result. 

Theorem 4.1. Suppose P is a graph problem possessing a non-randomized algorithm M in the 
random-access memory model that, when given G = (V, E) in adjacency list or adjacency matrix 
form, outputs P{G) in time t{m,n), where m =\E\ and n = \ V\. Then there is an {m + t{m,n), 1) 
protocol for P. 

Proof sketch. % first repeats (the non-zero locations of) a valid adjacency list or matrix represen- 
tation G, as writes to the memory (which is checked by V); V uses fingerprints to ensure the edges 
included in the representation precisely correspond to those that appeared in the stream, and can 
use local checks to ensure the representation is otherwise valid. This requires 0{m) annotation 
and effectively initializes memory for the subsequent simulation. Thereafter, % provides a valid 
augmented transcript T' of the read and write operations performed by algorithm Ai; V rejects if 
T' is invalid, or if any read or write operation executed in T' does not agree with the prescribed 
action of M. As only one read or write operation is performed by M in each timestep, the length 
of T' is 0{t{m, n)), resulting in an {m + t{m, n), 1) protocol for P. □ 

Although Theorem 14.11 only allows the simulation of deterministic algorithms, 7i can non- 
deterministically "guess" an optimal solution S and prove optimality by invoking Theorem 14.11 on 
a (deterministic) algorithm that merely checks whether S is optimal. Unsurprisingly, it is often the 
case that the best-known algorithms for verifying optimality are more efficient than those finding 
a solution from scratch (see e.g. the MST protocol below); therein lies much of the power of the 
simulation theorem. 

Theorem 4.2. There is a valid (m, 1) protocol to find a minimum cost spanning tree; a valid 
{m + nlogn, 1) protocol to verify single-source shortest paths; and a valid (n^, 1) protocol to verify 
all-pairs shortest paths. 

Proof. We first prove the bound for MST. Given a spanning tree T, there exists a linear-time 
algorithm M for verifying that T is minimum (see e.g. |17j). Let M' be the linear-time algorithm 
that, given G and a subset of edges T in adjacency matrix form, first checks that T is a spanning 
tree by ensuring \T\ = n — 1 and T is connected (by using e.g. breadth-first search), and then 
executes Ai to ensure T is minimum. We obtain an (m, 1) protocol for MST by having T-L provide 
a minimum spanning tree T and using Theorem 14.11 to simulate algorithm Ai' . 
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The upper bound for single-source shortest path follows from Theorem 14.11 and the fact that 
there exist implementations of Djikstra's algorithm that run in time m + n log n. The upper bound 
for all-pairs shortest paths also follows from Theorem 14.11 and the fact that the Floyd- Warshall 
algorithm runs in time O(n^). □ 

We now provide near-matching lower bounds for all three problems. 

Theorem 4.3. Any protocol for verifying single-source or all pairs shortest paths requires hcost • vcost = 
O(n^) bits. Additionally, if edge weights may be specified incrementally, then an identical lower 
bound holds for MST. 

Proof. The lower bounds for single-source and all-pairs shortest paths are inherited from shortest 
s — t path (Corollary 13. 6p . 

To prove the lower bound for MST, we present a straightforward reduction from an instance 
of INDEX, {x,k), where x £ {0,1}" , k £ [n^]. Alice will construct a graph G, with Vg = [n], 
and Eg = Ea- Bob will then construct two graphs, Gi and G2, with Egi = Ea U Eb^ and 
Eg2 = Ea U Eb2- If edge {i,j) is in Ea H Ebi, then we interpret this to mean that the weight of 
edge (i, j) in Eg^ is the sum of its weights in Ea and Ebi- Below, we will write {i,j,w) to denote 
an edge between nodes i and j with weight w. 

Alice creates Ea = {{i,j,l) : from x alone, where / is a bijection [n] x [n] — )• [n^]. 

Bob creates Eb^ = {{u,v,3) : f{u,v) 7^ /c}, and Eb2 = Eb^ U 1)}, where is the edge 

satisfying f{i,j) = k. Edge if it exists, is the lowest-weight edge in Eg^, and hence {i,j) is in 

any min-cost spanning tree of Gi if and only if Xk = 1. In contrast, {i,j) is always in the min-cost 
spanning tree of G2. Therefore, if = 1, then the minimum spanning tree of G2 will be of higher 
cost than that of Gi, because the weight of {i,j) is 1 in Eg^ and 2 in Eg2- And if x^ = 0, then the 
mininmum spanning tree of G2 will be of lower cost than that of Gi, because the weight of edge 
will be 00 in Gi and 1 in G2. Thus, by comparing the cost of the MSTs of Gi and G2, Bob 
can extract the value of x^. The lower bound now follows from the hardness of INDEX [6, Theorem 
3.1]. □ 



Diameter. The diameter of G can be verified via the all-pairs shortest path protocol above, but 
the next protocol improves over the memory checking approach. 

Theorem 4.4. There is a valid (n^logn,l) protocol for computing graph diameter. Further, any 
protocol for diameter requires hcost • vcost = r2(n^) bits. 

Proof, ini Theorem 5.2] gives an (n^log/,1) protocol for verifying that A^ = B for a matrix A 
presented in a data stream and for any positive integer I. Note that if A is the adjacency matrix of 
G; then (I + AY- 7^ if and only if there is a path of length at most I from i to j. Therefore, the 
diameter of G is equal to the unique I > such that {I + A){j / for all {i,j), while (1 + = 
for some {i,j). Our protocol requires 7i to send I to V, and then run the protocol of [6, Theorem 
5.2] twice to verify that I is as claimed. Since the diameter is at most n — 1, this gives an (re^ logn, 1) 
protocol. 

We prove the lower bound via a reduction from an instance of INDEX, (x. A;), where x G {0,1}" 
k G [n^/4]. Alice creates a bipartite graph G = {V,E) from x alone: she includes edge {i,j) in E if 
and only if Xf(^ij) = 1, where / is a bijection from edges to indices. Bob then adds to G two nodes 
L and R, with edges from L to each node in the left partite set, edges from R to each node in the 
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right partite set, and an edge between L and R. This ensures that the graph is connected, with 
diameter at most 3. Finally, Bob appends a path of length 2 to node i, and a path of length 2 to 
node j, where f{i,j) = k. If Xk = 0, then the diameter is now 7, while if Xk = 1, the diameter is 
5. The lower bound follows from the hardness of index [6l Theorem 3.1] (this also shows that any 
protocol to approximate diameter better than \/lA requires hcost • vcost = J7(n^) bits; no effort 
has been made to optimize the inapproximability constant). □ 

5 Conclusion and Future Directions 

In this paper, we showed that a host of graph problems possess streaming protocols requiring 
only constant space and linear-sized annotations. For many applications of the annotation model, 
the priority is to minimize vcost, and these protocols achieve this goal. However, these results 
are qualitatively different from those involving numerical streams in the earlier work [6]: for the 
canonical problems of heavy hitters, frequency moments, and selection, it is trivial to achieve an 
(m, 1) protocol by having T-L replay the stream in sorted ("best") order. The contribution of [6j is in 
presenting protocols obtaining optimal tradeoffs between hcost and vcost in which both quantities 
are sublinear in the size of the input. There are good reasons to seek these tradeoffs. For example, 
consider a verifier with access to a few MBs or GBs of working memory. If an (m, 1) protocol 
requires only a few KBs of space, it would be desirable to use more of the available memory to 
significantly reduce the running time of the verification protocol. 

In contrast to [6], it is non-trivial to obtain (m, 1) protocols for the graph problems we consider, 
and we obtain tradeoffs involving sublinear values of hcost and vcost for some problems with an 
algebraic fiavor (e.g. matrix-vector multiplication, computing effective resistances, and eigenvalues 
of the Laplacian). We thus leave as an open question whether it is possible to obtain such tradeoffs 
for a wider class of graph problems, and in particular if the use of memory checking can be adapted 
to provide tradeoffs. 

A final open problem is to ensure that the work of 7i is scalable. In motivating settings such as 
Cloud computing environments, the data is very large, and 7i may represent a distributed cluster 
of machines. It is a challenge to show that these protocols can be executed in a model such as the 
MapReduce framework. 

Acknowledgements. We thank Moni Naor for suggesting the use of memory checking. 
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A Direct Protocols for Breadth First and Depth First Search 



In this appendix, we consider the problem of "verifying" a breadth first or depth first search. Our 
goal is to force % to provide to V the edges of G in the order they would be visited by a non- 
streaming BFS or DFS algorithm, despite limiting V to logarithmic space. We can accomplish this 
with linear annotation simply by invoking Theorem 14.11 on a BFS or DFS algorithm; however we 
now give "direct" protocols for this problem. Our protocols improve over Theorem 14.11 by constant 
factors, because we avoid having to replay the entire contents of memory at the beginning and end 
of the protocol. As an immediate corollary of our BFS protocol, we obtain an (m, 1) protocol for 
bipartiteness. 

To make precise the notion of "verifying a BFS", we define the concept of a BFS transcript, 
using the concept of a label-augmented list of edges defined in Definition 12.21 

Definition A.l. Given a connected undirected graph G, a BFS transcript T rooted at s is a label- 
augmented list of edges E' , with each label l{e,u) claimed to be the distance from s to u. Let 
de := min(/(e, n), /(e, f )). A BFS transcript is valid if: (a) Edges are presented in increasing order 
of de; (b) E' is a valid list of label- augmented edges; and (c) For all u, l{u) is the (hop) distance 
from s to u. 

For clarity, we make explicit the labels of each edge; a more concise protocol would group edges 
in order of l{e,u) -\- l{e,v). However, this does not alter the asymptotic cost. 

It is easy to see that any valid BFS transcript corresponds to the order edges are visited in an 
actual BFS of G. We therefore say a protocol verifies a BFS if it accepts any valid BFS transcript 
(possibly with additional annotation interleaved) and rejects any invalid BFS transcript with high 
probability. With this in mind, we now define augmented BFS transcripts. 

Any valid BFS transcript corresponds to a possible order of edges being visited in an actual BFS 
of G. So we seek a protocol that accepts any valid BFS transcript (possibly with additional anno- 
tation interleaved), and rejects an invalid transcript (whp). This leads us to define an augmented 
BFS transcript. 

Let T be a BFS transcript. We partition the edges by their distance, so that Ei = {e : d^ = 1} ■ 
Likewise, we define Vi = {u\3e = {u,v) s.t. l{e,u) = I}. In a valid BFS transcript, the sets Vi 
partition V since l{e,u) gives the same distance from s to n every time is is listed; an invalid 
transcript may not have this property. 

Definition A. 2. An augmented BFS transcript T' is a BFS transcript T where additionally before 
each El, Vi+i is presented, along with degrees degi{v), defined as degi{v) = \{u\{u,v) E E,u G 

Vi,veVi+i}\. 

The augmented BFS transcript is valid if the underlying BFS transcript is valid and all claimed 
degrees are truthful. 

Theorem A. 3. There is a valid (m, 1) protocol to accept a valid augmented BFS transcript. 

Proof. To ensure Definition lA.ll (a), V rejects if the edges are not presented in increasing order 
of de, which is trivial to check since l{e,u) and l{e,v) are presented for every edge. V ensures 
Definition lA.il (b) using the "Consistent Labels" protocol of Lemma 12.31 

To verify the augmented transcript, fingerprints ensure multiset {v € : degi{v)} matches 
the multiset of edges e = {u,v) with l{e,u) = l,l{e,v) =1 + 1. V (re)uses the same working 
memory to store these fingerprints for each level I in turn. To ensure Definition lA.il (c). V uses the 
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augmented annotation at each edge-level to reject if a node at level ^ + 1 is not incident to any nodes 
at level I, or if an edge is ever presented with \l{e,u) — l{e,v)\ > 1. An inductive argument ensures 
that l{e, u) is the distance from s to u for all u and all e incident to u (the base case is just l{s) = 0). 
For the vcost, note that any valid augmented BFS transcript has length 0{n + m) = 0{m). □ 

From this theorem, we obtain an (m, 1) protocol for bipartiteness: G is bipartite if and only if 
there is no edge {u,v) with l(e,u) = l{e,v), which is easily checked given a valid augmented BFS 
transcript. Further, any online protocol for bipartiteness requires hcost • vcost = 0(n) bits, even 
when m = 0{n); this lower bound follows by reducing bipartiteness to index [18j, which has the 
same lower bound Theorem 3.1]. 

Our approach for Depth First Search is similar, but more involved. Analogously to BFS, we 
now define DFS transcripts. 

Definition A. 4. Given a connected undirected graph G, a DFS transcript consists ofm-\-2n rows, 
where each row is of the form edge(w,w), push(u), or pop(u). Each symbol push(u) (resp. pop(n)J 
represents a simulated push (pop) of node u on a (simulated) stack. Reading the transcript in 
order, the most recently pushed vertex that has not yet been popped is termed the "top" node. A 
DFS transcript is valid for G = {V, E) if 

(a) Every v is pushed exactly once, immediately after it first appears in an edge; 
(h) Every e £ E is presented exactly once, and is incident to the top node; 

(c) Every v £ V is popped exactly once, when it is the top and all edges incident to it have already 
appeared in the transcript. 

The order edges are visited in an actual DFS of G always corresponds to the ordering of edges 
in a valid DFS transcript, and each simulated push and pop operation corresponds to actual push 
and pop operations in the same DFS. Therefore, just as in the BFS case, we seek a protocol that 
accepts any valid DFS transcript (possibly with additional annotation on each event) and rejects 
invalid DFS transcripts whp. We write t(event, u) = t to denote that the t'th row of the transcript 
is event(u). Thus, the top node at time t is top{t) = argmax„(t(push, n)|t(push, u) <t< t{pop,u)), 
and we say the stack height at time t is height{t) = \{u\t{pus\r\,u) <t< t(pop, n)}|. 

Definition A. 5. An augmented DFS transcript T' is a DFS transcript where in addition: 

(a) before the edges, triples {u,level{u),ntop{u)) are listed for each node in order; 

(b) every edge e = {u,v) is annotated with (t(push, li), t(pop, u), t(push, v ), t(pop, u)). 

(c) each pop('u) with t{pop,u) = t is annotated with {v,t{pus\r\,v),t{pop,v)) where v = top{t + 1) 

Definition A. 6. We say an augmented DFS transcript is valid if 

(a) the underlying DFS transcript is valid; 

(b) for all u, level{u) = height{t{push , u)) and ntop{u) is \{t\top{t) = u}\. 

(c) all t{pus\\,u) and t{pop,u) annotations are consistent; 

(d) the triple after each pop event correctly identifies the new top. 

Theorem A. 7. There is a valid (m, 1) protocol to accept a valid augmented DFS transcript. 

Proof. To ensure Definition ! A. 61 (b) . V initially computes a fingerprint /i of the multiset {(n, level{u)) : 
ntop{u)}. Throughout the protocol, V also tracks height{t), and maintains a fingerprint /2 of all 
{top{t),height{t)) pairs observed while reading the augmented DFS transcript. If property (b) is 
satisfied, /i and /2 will match, otherwise they will differ with high probability. This is essentially 
the "Consistent Labels" protocol applied to this setting. 
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For Definition IA.6I (c) , we use the "Consistent Labels" protocol of Lemma 12.31 to ensure that 
the claimed push times are consistent for all nodes. This protocol presents a list of nodes in sorted 
order accompanied by their t(push,ti) values. This list is also used to check to see that exactly one 
push event is claimed for each node: a fingerprint of the list can then be compared to one generated 
directly from the transcript. The case for pop is identical. 

For Definition IA.6I (d), V can reject if the triple of Definition IA.5I (c) has t(push, > t oi 
t(pop, v) < t. Observe that the stack must have the same height every time v is claimed to be the 
top, else the fingerprints /i and /2 will differ (whp). Thus we can assume that v is always reported 
as top at the same height, which is h = height{t{pu5h,v)). We argue that at any timestep t there 
can be only one node v at height h such that t(push, w) < t < t(pop, v). If not, then let u and f be a 
"witness" pair of nodes both claimed to be at height h such that t(push, u) < t(push, u) < t(pop, v): 
if there are many such nodes, then pick v with the smallest value of t(push, u ), and u likewise with 
the smallest t(push,u) such that the condition is met. For this to happen, there must have been a 
pop event to bring the height below h; either this is to v itself, contradicting the assumptions, or 
to some other node, w. Assuming that t{push,w) < t(pop, to) (else our other checks identify this 
error), then v and w form a witness pair with t{pu5h,w) < t{pop,w) < t(push,u), contradicting the 
claim that u and v formed the earliest witness pair. 

Next, we ensure that the underlying DFS transcript is valid. Definition I A. 41 (a) is easy to 
check, given Definition IA.6I (c), by having V reject if the t'th row of the transcript is edge{u,v) 
and is annotated with t{push,v) > t + 1. Definition IA.4I (b) is also easy to check given Definition 
IA.6I (d): V tracks top{t) implicit from push operations or from annotations on pop events. This 
leaves Definition IA.4I (c) i.e. to ensure that nodes are popped at the correct times. To accomplish 
this, it suffices to have V reject if the t'th row of the transcript is edge(M, v) and is annotated with 
t(pop,n) < t or if the t'th row is pop(u) and top{t) / u. These rules ensure pop{v) cannot occur 
"too early" , i.e. before all edges incident to v have been presented: when such an edge is presented 
in row t, V will reject due to t(pop,v) < t. Likewise, v cannot be popped "too late", since if 
top{t) = V and there are no more edges incident on v, the next edge will not be incident on top{t) 
(required by Definition IA.4I (b)) unless v is popped first. □ 
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